The invention relates to a system and method for distributing software over a network. More particularly, the invention relates to a method for controlling software distribution by embedding a sub-component of the distribution control software in each software application, and having a central monitoring software for monitoring the distribution of the software applications.
Digitally encoded information, or software, is one of the most economically important commodities of the era. The ease and economy with which perfect copies can be made and distributed has promoted the spread of software and related technologies through traditional commercial channels such as retail and mail-order sales. More recently, non-traditional distribution channels such as distribution over networks of interconnected computers such as the Internet have become more viable. These non-traditional distribution channels have made it difficult for software creators and copyright holders to regulate the use of their creations or to receive payment and registration information from their users. Consequently, software producers forfeit substantial revenues and valuable information about their customer base and potential markets.
Various security methods have been employed in an attempt to inhibit illegal copying of software. Such attempts have included software security, such as password protection and requiring original diskettes to initiate startup, for example, and hardware security, such as a dongle, for example, inter alia. Further, hardware-based copy protection techniques, as well as those which involve modification or customization of executable programs, prevent software vendors from exploiting the non-traditional distribution networks that are becoming a mainstay of software distribution in the software marketplace. Therefore, these protection methods have generally proved inadequate for large-scale commercial distribution of software. Thus, most large software companies have relied on shrink-wrap licenses and legal remedies to enforce their copyrights which have proved moderately effective.
Another challenge to the software industry is regulating the installation of software. Since individual users perform most installations of software, the vendor has no control over the software installation. A user can currently purchase software that will not run on the user""s computer. The user may not know the limitations of the user""s computer hardware or may not understand the software""s hardware requirements. If a user purchases software and the user""s computer hardware is inadequate to run the software, then various problems are going to occur in the installation and execution of the software on the user""s hardware. The user will have to spend much time and effort attempting to resolve the problem, often including multiple calls to the vendor""s technical support lines at a cost to both the vendor and potentially the user.
Additionally, companies having large networked facilities can internally have thousands of networked computers accessible by numerous content servers on a single network. Each of the content servers can be running any of various operating systems as can the computers with which the servers are communicating. From an information management standpoint, maintaining such a computer base can be very difficult given that each user may have to install their own software or, in the case of networked software, each server has an individual copy of networked software for a subset of the users.
Many computer users are reluctant to purchase software on-line due to security issues. The possibility of piracy of the software and, more importantly to the user, personal information inhibits many users from taking advantage of this method of transaction. Some on-line services include security features for such information, but generally lack an ability for the user or the service to audit the security of the transmission. In addition, on-line services generally do not allow the service to keep users informed of new products and releases, unless the users release personal information to the service.
In some environments, the security of the network and data transmitted and stored thereon is critical. Such networks and environments include military, legal, business, and financial services. As a financial services example, an investment trading system may be linked to a bank custody and accounting system, wherein the two systems exchange data so that the bank system can provide xe2x80x9csettlementxe2x80x9d services related to the trading system""s investment transactions. Attempts to make such networks secure, preventing the theft or manipulation of data by insiders and outsiders, often involves using human entered passwords to gain access to the network. However, because such passwords exist in human readable form, it is possible to steal such passwords and gain access to the system. Such systems may also implement key encryption to secure the data, but if the system is violated through password detection or other means, the keys may be obtained and used, unknown to network administrators. As an example, a method presently used to protect transmission of data over a network is a virtual private network that uses digital certificates, which involves the use of various root private keys which are manually protected in a secure environment. If these root keys can be discovered or broken, the network can be compromised. These keys generally have a life of one or two years. If a key in one of these system is stolen, the theft cannot be detected. Consequently, these networks may be unacceptably vulnerable.
Additionally, these networks are typically large and complex and susceptible to the inclusion of xe2x80x9ctrap doorsxe2x80x9d during their generation and installation. A xe2x80x9ctrap doorxe2x80x9d is hidden software code that allows an application to secretly send data to unauthorized recipients, for example. Furthermore, the generation and installation is typically, labor intensive, requiring programmer generation and manipulation of software files to build the necessary components and hand installation of these components at remote sites to build the network. Since the generation and installation is piecemeal and disjoint, it is not a quick process. Also, it does not lend itself to generating billing information of the clients receiving access to the network as it is being installed, since account services are not typically included until after the system or network installation is complete. Therefore, additional resources are required to generate necessary billing information.
Accordingly, it is an object of the invention to provide a private secure network and method for protecting electronically distributed and stored data from theft, both by outsiders and technologically sophisticated insiders. It is another object of the invention to provide an auditable secure network and method for auditing a secure network during generation, installation, and operation of the secure network. It is yet another object of the invention to provide a secure network and method for establishing and maintaining a high degree of data security in the direct connection between a trading desk in a securities firm and the settlement application in a custody bank, thereby facilitating real-time, or near real-time, settlement. It is a further object of the invention to provide a system and method for rapidly generating and installing an auditable secure network remotely. It is yet a further object of the invention to provide a system and method for systematically defining the types of data to be sent over a network to be generated and installed and for auditing performance against this definition. It is still another object of the invention to provide a system and method for generating billing information from a network installation. It is also an object of the present invention to provide a system and method for resolving security violations in a private secure network that requires verification by auditors.
It is further an object of this invention to protect transfers of cash among large financial institutions. When cash is transferred through electronic means, large quantities of cash can be transferred in a short period of time. Insiders who have access to the networks of large financial institutions might plan to install software that, at the appropriate moment, could overcome the security system and process a large illegal cash transfer. A further object of this invention is to install systems that can protect against insider theft of cash through electronic means, particularly where the insiders have time and technical knowledge to install sophisticated software to accomplish an illegal theft of cash.
These and other objects of the invention are achieved by the system and methods described herein.
The aforementioned and other objects of the invention are achieved by the invention, which is a system for installing a software application to a remote computer via a network. The network is one which has at least one content server located thereon, which serves data to a plurality of attached computer clients. This network model is intended to include both intranets and internets. That is, the network may be an internal corporate network, an intranet, or a global network of networks such as the Internet, for example. The system comprises a server module and an agent module.
The server module is disposed on the server. The server module maintains a database of software applications and constraints associated therewith. In the case of commercial distribution of the software application, the server module also maintains a database that includes billing information.
The agent module can be embedded in more than one type of software application, and is actuatable by the remote computer to initiate installation of the software application on the remote computer. Upon initiation, the agent module electrically communicates with the server module which selectively enables the installation. In the case of a commercial distribution of the software over the Internet, for example, the user, upon finding a software application which the user wishes to purchase, the user selects the software application. An agent module would then communicate with the server module.
In one embodiment, the agent module would be embedded in the software application the user selected to purchase, and it would be actuatable by the remote computer. After actuation by the remote computer the agent module would communicate with the server module. In another embodiment, the agent module embedded in the software application would remain inactive until after the software application was installed. In this embodiment, a second agent module, which for clarity will hereinafter be referred to as a plug-in, disposed on the remote computer would communicate with the server module. The plug-in would preferably be installed in the user""s browser software, which the user is using to connect to the Internet.
The server module can be on a separate remote content server or the same content server upon which the software application is located. The physical location is not important to the individual modules as long as they can communicate electronically. The server module then transfers hardware constraints, pricing information and available options particular to the chosen software application to the remote computer.
The user of the remote computer then accepts the pricing, confirms acceptance of license terms and inputs user information, all of which is then transferred back to the server module as identification information. Upon verified receipt of the user""s information, the server module then enables the installation of the software application by communicating with the agent module, either the agent module embedded in the software application or the plug-in embedded in the browser. Installation of the software application can then proceed over the network.
In other embodiments, where the pricing and payment of the software application is accomplished independently of the installation, installation of the software on a remote computer (i.e., target site) may be commenced in response to other parameters, rather than pricing and payment. For example, if a company or other organization procured several copies (or licenses) of a single application for several of its sites, payment of such software (or licenses) may be accomplished prior to the installation thereof or in accordance with a payment schedule. Therefore, payment and installation need not be related.
Where data security is a concern and the protection of data is necessary, the present invention includes mechanisms to prevent unauthorized copying or alteration of electronically stored and transmitted data by outsiders (e.g., xe2x80x9cpiratesxe2x80x9d) and trusted insiders. For example, the system performs generation and subsequent operation of a secure network without revealing embedded detailed security measures to software developers. The network includes a plurality of linked nodes, wherein each node is formed from the installation of a software application on a predetermined remote computer or target site. A monitoring capability is used to ensure security is maintained and to respond to security violations and human auditing of the network may be employed to verify proper installation in accordance with a network definition template. Once completed, the template substantially defines, in human readable form, the network from a top level, including identification of each.node, identification of each link between nodes, identification of data types to be exchanged between nodes, and identification of a software application to be installed as part of each node. A set of agent library functions is included with the application to facilitate communication of each node with the rest of the network.
An agent module generator receives the template information and generates network components therefrom. For each specific node identified in the template, a unique agent module and a node configuration file is generated, including information about each link of which the node is a part. A network information file, or files, is also generated which embodies the overall network structure. For each link, as part of each agent module, a pair of keys is generated, one key corresponds to data transmission over the link in one direction and the second key corresponds to data transmission in the opposite direction. A key is a series of binary bits, probably not human readable, which is used as part of an encryption algorithm. Each agent module is loaded, either over a network (e.g., the Web) or manually from a computer disk or CD ROM, for example, onto its corresponding target site. Once loaded, the agent module is executed, configures itself, and communicates with an installation server (i.e., server module) in a secure, encryption key based manner to load the requisite software application onto the target site. Once the application software and configuration file are downloaded and executed on a target site, the node communicates with a monitor node to gain access into the network. The agent module should be used to install the link as soon after it is constructed as possible.
As part of the auditing of the installation of each network node, the input of a local sales password may be required for downloading the node application software and configuration file and input of an audit password may be required for installation of the node into the network (via the monitor node). A password is a string of numbers and letters which is used by humans to gain access to a computer system. The monitor node oversees the installation and subsequent operation and security of the network. If an attempt is made to install a node more than once, the monitor node may shut down that node or the entire network. The feature that a node may be installed only once is important to prevent an attack whereby an agent module might be stolen and then used to attempt to install a node from a location other than the target location. Even if the thieves somehow were able to spoof that the fraudulent node was the real node, when the legitimate attempt was made to install the correct node, the deception would be uncovered. An account server may also be included which, among other things, tracks the installation of each node for billing purposes.
Communication between nodes requires a dual login between the two nodes seeking to send and receive data, using the keys for that link. These keys are randomly generated data, and may be changed periodically. Communication is further protected using encryption with unique, randomly generated public-private key pairs. One pair of keys is generated for each node in the link. Of the pair, one pair of keys is dedicated for data transfer in one direction over the link and the other key is dedicated for data transfer in the other direction. The private key is randomly generated when an agent module is executed for the first time on its node, and is generally used to decrypt data received by the node. The node""s public key is generated from the private key using a known encryption algorithm (e.g., RSA) and is used by another node to encrypt data to be transmitted to the node that generated the public key. A session key for the node may also be generated for a given communication session. The session key is used to perform a second encryption on the data to be transmitted. Session keys are shared by the nodes in a link Each node in the link passes its public key to the other node. When a sending node prepares to transmit a message to a receiving node, that message is encrypted with the receiving node""s public key and then again with the session key. The receiving node uses the session key and the receiving node""s private key to decrypt the message. Rather than one shared session key, each node may, alternatively, have its own session key, which is encrypted and sent to the other node in the link.
For increased security, the keys may be strobed, that is, changed every few seconds. The monitor node controls the strobing of keys between nodes. Critical node pairs may be strobed at regular or erratic intervals, possibly every 2 or 3 seconds, whereas less critical node pairs could be strobed at longer intervals, possibly every 5 to 10 seconds. To strobe, each node randomly generates a new private-public key pair and session key and passes the public and session keys to the other node in a secure manner. Each node involved then stores the other node""s keys for decryption of messages received from that node. When strobing is performed between two linked nodes, in-progress communication between the two nodes, if any, must complete before the strobing takes place. In another embodiment, strobing is accomplished with persistence of the current and previous set of keys from each node in the link being strobed. Therefore, if a node, a link, or the network goes down, the links will attempt to come back up using the current set of keys, but may default to the previous set of keys if unsuccessful. This can be particularly useful if a node goes down during a strobe.
Unlike the manually protected root keys of typical virtual private networks, which may have a life of a year or more, the private keys under the present invention have an initial life that consists of the time between when the keys for the agent modules are generated by the server and when the modules use these keys to make an installation. This time period could be as short as 15 minutes, for example. Thereafter, when the system is installed, the keys are changed or strobed every few seconds. Thus the present invention substantially diminishes the time during which private keys remain valid and substantially reduces the risk of the private keys being stolen and used by pirates. Moreover, the present invention includes methods for detecting theft during the relatively brief period when a private key is in effect.
With regard to installation, there is a window of opportunity, between the time the agent is generated and the link is installed, during which the pirate could steal the private key from the server and construct a phony server so that, at the time of installation, the phony server could spoof to the agent that it was the server and to the server that it was the agent. This type of attack would require a xe2x80x9cmolexe2x80x9d in the installation server room capable of stealing the private key and with software that could immediately generate a phony server.
The present invention, preferably, includes a method of detection of this type of attack by auditing the installation to compare the server public key used by the agent or the installed application to the actual server public key: if they are different, a pirate has interposed itself between them. This comparison can be effectuated by a proper auditing procedure that uses human beings to communicate certain control values from the installed site to the audit server through means which are not related to the network connecting the installed site with the server.
Thus, unlike the case of the root keys used in a digital certificate system, if a private key is stolen under the present system it can be detected before the system is installed.
Also, there is a very narrow window of opportunity (a fraction of a second) for a pirate to interpose itself when the network is in operation. If a pirate did penetrate an installation server room and steal private keys and session keys instantaneously as they were generated, it could possibly interpose a node on the network. This type of security violation can also be detected by human audit of the network. The network can be automatically audited every few seconds by using two monitors, where the second monitor is used to compare the two keys. For pirates to penetrate a two-monitor network, they would then have to be able to instantaneously steal private keys from two separate secure sites.
Thus, when the network is in operation, the window of opportunity during which a private key can usefully be stolen is a fraction of a second compared with a year for a digital certificate system. Moreover, the present invention includes a method to detect an interposition even within a fraction of a second.
A secure network may include a plurality of subnetworks. Each subnetwork can be a distributed complement of computers, located at physically separate locations. Furthermore, each subnetwork may include a plurality of subnetworks. A typical network or subnetwork may include a hub node to which is connected a plurality of application nodes. Additionally, as described above, each subnetwork may include two or more monitor nodes. In such a network, the hub nodes may be interconnected via a higher level hub node and two monitor nodes (also at the higher level) may be connected to the higher level hub node and to corresponding subnetwork level monitor nodes. Communication between hub nodes preferably includes the same key-based security measures previously discussed, including the strobing of keys. Two hub nodes strobe their keys under the control of a higher level monitor node, similar to the monitor controlled strobing previously discussed.
In further aspects, the invention provides methods in accord with the apparatus described above. The aforementioned and other aspects of the invention are evident in the drawings and in the description that follows.